{ "id": "b44a20cd-5028-4a0e-b76c-56d6d193f223", "created_at": "2026-04-06T00:19:55.172909Z", "updated_at": "2026-04-10T03:36:34.02864Z", "deleted_at": null, "sha1_hash": "ac6eb2297b269291b1b2d8ebdb84f784afa2a164", "title": "Mustang Panda, Bronze President - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 116537, "plain_text": "Mustang Panda, Bronze President - Threat Group Cards: A Threat\r\nActor Encyclopedia\r\nArchived: 2026-04-05 12:46:57 UTC\r\nHome \u003e List all groups \u003e Mustang Panda, Bronze President\r\n APT group: Mustang Panda, Bronze President\r\nNames\r\nMustang Panda (CrowdStrike)\r\nBronze President (SecureWorks)\r\nTEMP.Hex (FireEye)\r\nHoneyMyte (Kaspersky)\r\nRed Lich (PWC)\r\nEarth Preta (Trend Micro)\r\nCamaro Dragon (Check Point)\r\nPKPLUG (Palo Alto)\r\nStately Taurus (Palo Alto)\r\nTwill Typhoon (Microsoft)\r\nHive0154 (IBM)\r\nG0129 (MITRE)\r\nCountry China\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2012\r\nDescription\r\n(CrowdStrike) In April 2017, CrowdStrike Falcon Intelligence observed a previously\r\nunattributed actor group with a Chinese nexus targeting a U.S.-based think tank. Further\r\nanalysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs).\r\nThis adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian\r\nlanguage decoys and themes, suggesting this actor has a specific focus on gathering intelligence\r\non Mongolia. These campaigns involve the use of shared malware like Poison Ivy or PlugX.\r\nRecently, Falcon Intelligence observed new activity from Mustang Panda, using a unique\r\ninfection chain to target likely Mongolia-based victims. This newly observed activity uses a\r\nseries of redirections and fileless, malicious implementations of legitimate tools to gain access\r\nto the targeted systems. Additionally, Mustang Panda actors reused previously-observed\r\nlegitimate domains to host files.\r\nAlso see CeranaKeeper and RedDelta.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3fb2534f-f233-4247-a653-5fc809212951\r\nPage 1 of 5\n\nObserved\nSectors: Aviation, Education, Government, Healthcare, NGOs, Think Tanks,\nTelecommunications.\nCountries: Australia, Bangladesh, Belgium, Bulgaria, Cambodia, China, Cyprus, Czech,\nEthiopia, France, Germany, Greece, Hong Kong, Hungary, India, Indonesia, Japan, Malaysia,\nMongolia, Myanmar, Nepal, Pakistan, Philippines, Russia, Singapore, Slovakia, South Africa,\nSouth Korea, South Sudan, Sweden, Taiwan, Thailand, Tibet, UK, USA, Vietnam and UN.\nTools used\n9002 RAT, AdFind, China Chopper, Cobalt Strike, DCSync, DOPLUGS, Farseer, Hdump,\nHenBox, Hodur, HopperTick, Impacket, LadonGo, nbtscan, Mimikatz, MQsTTang, NetSess,\nNetview, nmap, Orat, Poison Ivy, PlugX, Poison Ivy, PowerView, PUBLOAD, PVE Find AD\nUsers, RCSession, ShadowPad Winnti, TeamViewer, THOR, TinyNote, TONEINS,\nTONESHELL, WmiExec, WispRider, Zupdax.\nOperations performed\n2014\nSecureworks Counter Threat Unit (CTU) researchers have observed BRONZE\nPRESIDENT activity since mid-2018 but identified artifacts suggesting that the\nthreat actors may have been conducting network intrusions as far back as 2014.\nAug 2019\nIn mid-August 2019, the Anomali Threat Research Team discovered suspicious\n“.lnk” files during routine intelligence collection. While the distribution method\nof these documents cannot be confirmed at this time, it is likely that\nspearphishing is being utilized because it aligns with Mustang Panda’s TTPs, and\nit is a common tactic used amongst APT actors.\nJan 2020\nAvira’s Advanced Threat Research team discovered a new version of PlugX from\nthe Mustang Panda APT that is used to spy on some targets in Hong Kong and\nVietnam. The way that the APT actor infects the target, and launches the\nmalicious payload is similar to previous versions—but with some differences.\nMar 2020\nVietnamese cyber-security firm VinCSS detected a Chinese state-sponsored\nhacking group (codenamed Mustang Panda) spreading emails with a RAR file\nattachment purporting to carry a message about the coronavirus outbreak from\nthe Vietnamese Prime Minister.\nMar 2020\nATR identified that the Higaisa and Mustang Panda Advanced Persistent Threat\n(APT) groups have been utilizing Coronavirus-themed lures in their campaigns.\nMar 2021\nIndonesian intelligence agency compromised in suspected Chinese hack\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3fb2534f-f233-4247-a653-5fc809212951\nPage 2 of 5\n\nMar 2021\nTHOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange\nServer Attacks by PKPLUG Group\nMid 2021\nCyberespionage Attacks Against Southeast Asian Government Linked to Stately\nTaurus, Aka Mustang Panda\nAug 2021\nMustang Panda’s Hodur: Old tricks, new Korplug variant\nFeb 2022\nMustang Panda or Temp.Hex, a China-based threat actor, targeted European\nentities with lures related to the Ukrainian invasion.\nFeb 2022\nMustang Panda deploys a new wave of malware targeting Europe\nFeb 2022\nMustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia\nPacific Targets\nMar 2022\nBRONZE PRESIDENT Targets Russian Speakers with Updated PlugX\nMar 2022\nEarth Preta Spear-Phishing Governments Worldwide\nJun 2022\nBRONZE PRESIDENT Targets Government Officials\n2022\nEarth Preta’s Cyberespionage Campaign Hits Over 200\nOct 2022\nPack it Secretly: Earth Preta’s Updated Stealthy Strategies\nDec 2022 Operation “SmugX”\nSmugX: Unveiling a Chinese-Based APT Operation Targeting European\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3fb2534f-f233-4247-a653-5fc809212951\nPage 3 of 5\n\nGovernmental Entities: Check Point Research Exposes a Shifting Trend\nJan 2023\nMQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and\nMQTT\nJan 2023\nMalware Spotlight: Camaro Dragon’s TinyNote Backdoor\nEarly 2023\nBeyond the Horizon: Traveling the World on Camaro Dragon’s USB Flash\nDrives\nApr 2023\nNew Mustang Panda’s campaing against Australia\nMay 2023\nCheck Point Research reveals a malicious firmware implant for TP-Link routers,\nlinked to Chinese APT group\nJul 2023\nOperation “SMUGX”\nEarth Preta Campaign Uses DOPLUGS to Target Asia\nAug 2023\nIn August, ESET researchers identified a campaign by Mustang Panda targeting\na governmental organization in Slovakia.\nAug 2023\nStately Taurus Targets the Philippines As Tensions Flare in the South Pacific\nNov 2023\nStately Taurus Targets Myanmar Amidst Concerns over Military Junta’s\nHandling of Rebel Attacks\nMar 2024\nASEAN Entities in the Spotlight: Chinese APT Group Targeting\nFeb 2025 Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection\n\nand-malicious-components-to-sidestep-detection.html\u003e\nFeb 2025\nStately Taurus Activity in Southeast Asia Links to Bookworm Malware\nApr 2025\nLatest Mustang Panda Arsenal\nJun 2025\nHive0154 aka Mustang Panda shifts focus on Tibetan community to deploy\nPubload backdoor\nInformation\nMITRE ATT\u0026CK Playbook Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3fb2534f-f233-4247-a653-5fc809212951\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3fb2534f-f233-4247-a653-5fc809212951\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3fb2534f-f233-4247-a653-5fc809212951" ], "report_names": [ "showcard.cgi?u=3fb2534f-f233-4247-a653-5fc809212951" ], "threat_actors": [ { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "2ff375ef-7859-4d44-9399-06c9d1d9359c", "created_at": "2023-07-11T02:00:10.063244Z", "updated_at": "2026-04-10T02:00:03.367017Z", "deleted_at": null, "main_name": "SmugX", "aliases": [], "source_name": "MISPGALAXY:SmugX", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-10T02:00:03.367801Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "873919c0-bc6a-4c19-b18d-c107e4aa3d20", "created_at": "2023-01-06T13:46:39.138138Z", "updated_at": "2026-04-10T02:00:03.227223Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [], "source_name": "MISPGALAXY:Higaisa", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "926dcfeb-19dd-4786-b601-3c0c4c477b43", "created_at": "2023-01-06T13:46:38.787762Z", "updated_at": "2026-04-10T02:00:03.10053Z", "deleted_at": null, "main_name": "HenBox", "aliases": [], "source_name": "MISPGALAXY:HenBox", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "30c9c492-afc6-4aa1-8fe6-cecffed946e0", "created_at": "2022-10-25T15:50:23.400822Z", "updated_at": "2026-04-10T02:00:05.350302Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [ "Higaisa" ], "source_name": "MITRE:Higaisa", "tools": [ "PlugX", "certutil", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7e75b11d-f74c-4721-958e-f5a831ae85dc", "created_at": "2024-10-25T02:02:07.623446Z", "updated_at": "2026-04-10T02:00:04.608517Z", "deleted_at": null, "main_name": "CeranaKeeper", "aliases": [], "source_name": "ETDA:CeranaKeeper", "tools": [ "ClaimLoader", "PUBLOAD", "TONEINS", "TONESHELL" ], "source_id": "ETDA", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "fad89cb7-83e8-4d8c-8cf8-dce2c6e54479", "created_at": "2023-10-27T02:00:07.764261Z", "updated_at": "2026-04-10T02:00:03.378226Z", "deleted_at": null, "main_name": "Camaro Dragon", "aliases": [], "source_name": "MISPGALAXY:Camaro Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "eeea8091-668c-4e89-9c67-e688fd599365", "created_at": "2024-10-08T02:00:04.464686Z", "updated_at": "2026-04-10T02:00:03.723141Z", "deleted_at": null, "main_name": "CeranaKeeper", "aliases": [], "source_name": "MISPGALAXY:CeranaKeeper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8386d4af-5cca-40bb-91d7-aca5d1a0ec99", "created_at": "2022-10-25T16:07:23.414558Z", "updated_at": "2026-04-10T02:00:04.588816Z", "deleted_at": null, "main_name": "Bookworm", "aliases": [], "source_name": "ETDA:Bookworm", "tools": [ "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Scieron", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "ffrat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434795, "ts_updated_at": 1775792194, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ac6eb2297b269291b1b2d8ebdb84f784afa2a164.pdf", "text": "https://archive.orkl.eu/ac6eb2297b269291b1b2d8ebdb84f784afa2a164.txt", "img": "https://archive.orkl.eu/ac6eb2297b269291b1b2d8ebdb84f784afa2a164.jpg" } }